4 BYOD Security Strategies For Small Business

Whether or not your company embraces the bring-your-own-device approach, don't ignore the data integrity and retention implications of all the personal smartphones and tablets showing up in the workplace.

10 iPad Annoyances, Solved

(click image for larger view and for slideshow)

Your network might be hosting a BYOD (bring your own device) party even if you don't realize it. It doesn't matter whether your company actually allows employees to use their personal mobile devices for business purposes: Those smartphones and tablets are still inside the corporate walls.

"It's a wave that's not stopping," said Wayne Wong, managing consultant at Kroll Ontrack, in an interview. Kroll Ontrack specializes in data recovery, e-discovery, and other legal applications of technology. "Even if you attempt to put a policy out there that prohibits the use of personal devices, you'll see a lot of them every day, more and more."

That leads to one of the critical issues inherent in the BYOD approach, company-sanctioned or not: Mixing personal and corporate data willy-nilly. Small and midsize businesses (SMBs) sometimes face a more significant struggle on this front than large enterprises. "It's very hard for them to be more controlling [of data] like some of the larger organizations are able to achieve," Wong said.

This can be a huge problem for firms that operate under regulatory restrictions. But even SMBs that aren't dealing with a heavy compliance burden could find themselves in a lawsuit or other situation where data integrity and retention become critical. Wong notes that SMBs can sometimes be overwhelmed by the data implications of a BYOD approach; they could just as easily ignore them altogether. Here are four interrelated strategies he recommends for harnessing the upside of BYOD while managing associated risks.

1. Technology Use Policy

Step one in ensuring a strong, manageable approach to data retention is to create a policy that outlines what is--and what isn't--acceptable for employees to do when it comes to personal mobile devices, applications, and other tech tools. "Policy or governance is the starting point that will then drive procedures and processes," Wong said. "Companies really need to make it clear to employees what is appropriate and what is not appropriate regarding the use of technologies such as Gmail or other personal e-mail accounts and social media, for example." That policy also needs to explicitly cover employee responsibilities for retaining and storing data. (See #3 for more on this.)

2. Employee Education

Assume the concept of data retention has never occurred to most of your staff--because it probably hasn't. "SMBs should organize periodic training so that employees can clearly understand the appropriate and inappropriate uses of their personal devices," Wong said. This training should cover things like social media usage, personally identifiable information, strong passwords, and privacy settings. Regarding the latter, Wong notes a common misconception among users: Confusing privacy with privilege. In the event of a lawsuit, an employee's social media data can be discoverable regardless of privacy settings--make sure employees understand that.

3. Data Segregation

Wong advises SMBs to make data segregation a fundamental practice--namely, keep corporate and personal data separate for retention purposes. This can save you a ton of headaches in the event of litigation, compliance-related audits, and so forth. The best way to enable this is to provision corporate storage space and make clear to employees the processes for backing up their data there--and for keeping their personal info out.

4. The Social Factor, Redux

Social media should be a critical part of the aforementioned education and training, but it gets an encore here because it flies in the face of #3. "One of the dangers of social media is that it does not allow a segregation of your professional life and your private life," Wong said. A simple example: The second someone lists their employer--and all of their previous employers, to boot--on Facebook, that line instantly vanishes. "When people post things--whether pictures, opinions, comments--all of that now is exposed to scrutiny, regardless of the impression that Facebook gives you that you have privacy settings," Wong said. He added that the legal system is increasingly inclined to consider social media information discoverable in lawsuits; user privacy settings are irrelevant.

The social business boom also points to an underlying issue that Wong thinks employees often don't recognize when they bring personal technology into their jobs. Caveat emptor, modern worker: "I don't think people understand that, when they ask to use a personal device and get blessed, they've agreed to the fact that now anything they do on that personal device can be argued to be company property," Wong said.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

BYOD has a number of benefits for the company and the end-user, but it has issues as well. Companies need to be conscious of safeguarding internal resources from compromised BYOD devices, and protecting proprietary data on those devices as well. I like the information in this article about how to embrace mobility and BYOD without compromising on security. http://www.pcworld.com/article...

Arthur, the concept of a dual persona is tough for some people to grasp. Even when explained to them the importance of separating work and personal, it is like explaining percentages or fractions to them.

How many people do you know use their work email for everything? All those dumb jokes, forwarding photos, and dating messages...Or the small businesses that even have a web address for their business, but still use their AOL account for email?

You are correct though, that companies should 'force' the dual personas, perhaps by telling everyone that everything used the business address is property of the business, and subject to review. Then a month later, actually review some personal emails with them. :) Watch how quickly the personal stuff leaves the work email.

I am surprised that this post did not mention the use of "dual persona" mobile clients that will keep personal and business contacts completely separated on smartphone/tablet devices. The "dual persona" approach is what will enable practical BYOD policies to be established without all the "training" that is suggested.

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.